From: "Tobin C. Harding" <me@tobin.cc>
To: Matthew Wilcox <willy@infradead.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Kees Cook <keescook@chromium.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Linux-MM <linux-mm@kvack.org>,
syzbot
<bot+719398b443fd30155f92f2a888e749026c62b427@syzkaller.appspotmail.com>,
David Windsor <dave@nullcore.net>,
keun-o.park@darkmatter.ae, Laura Abbott <labbott@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Ingo Molnar <mingo@kernel.org>,
syzkaller-bugs@googlegroups.com,
Will Deacon <will.deacon@arm.com>
Subject: Re: BUG: bad usercopy in memdup_user
Date: Wed, 20 Dec 2017 07:33:57 +1100 [thread overview]
Message-ID: <20171219203357.GT19604@eros> (raw)
In-Reply-To: <20171219132246.GD13680@bombadil.infradead.org>
On Tue, Dec 19, 2017 at 05:22:46AM -0800, Matthew Wilcox wrote:
> On Tue, Dec 19, 2017 at 07:37:46PM +1100, Tobin C. Harding wrote:
> > On Tue, Dec 19, 2017 at 09:12:58AM +0100, Dmitry Vyukov wrote:
> > > On Tue, Dec 19, 2017 at 1:57 AM, Kees Cook <keescook@chromium.org> wrote:
> > > > On Mon, Dec 18, 2017 at 6:22 AM, Tetsuo Handa
> > > >> This BUG is reporting
> > > >>
> > > >> [ 26.089789] usercopy: kernel memory overwrite attempt detected to 0000000022a5b430 (kmalloc-1024) (1024 bytes)
> > > >>
> > > >> line. But isn't 0000000022a5b430 strange for kmalloc(1024, GFP_KERNEL)ed kernel address?
> > > >
> > > > The address is hashed (see the %p threads for 4.15).
> > >
> > >
> > > +Tobin, is there a way to disable hashing entirely? The only
> > > designation of syzbot is providing crash reports to kernel developers
> > > with as much info as possible. It's fine for it to leak whatever.
> >
> > We have new specifier %px to print addresses in hex if leaking info is
> > not a worry.
>
> Could we have a way to know that the printed address is hashed and not just
> a pointer getting completely scrogged? Perhaps prefix it with ... a hash!
> So this line would look like:
>
> [ 26.089789] usercopy: kernel memory overwrite attempt detected to #0000000022a5b430 (kmalloc-1024) (1024 bytes)
This poses the risk of breaking userland tools that parse the
address. The zeroing of the first 32 bits was a design compromise to
keep the address format while making _kind of_ explicit that some funny
business was going on.
> Or does that miss the point of hashing the address, so the attacker
> thinks its a real address?
No subterfuge intended.
Bonus points Wily, I had to go to 'The New Hackers Dictionary' to look
up 'scrogged' :)
thanks,
Tobin.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: "Tobin C. Harding" <me@tobin.cc>
To: Matthew Wilcox <willy@infradead.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Kees Cook <keescook@chromium.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Linux-MM <linux-mm@kvack.org>,
syzbot
<bot+719398b443fd30155f92f2a888e749026c62b427@syzkaller.appspotmail.com>,
David Windsor <dave@nullcore.net>,
keun-o.park@darkmatter.ae, Laura Abbott <labbott@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Ingo Molnar <mingo@kernel.org>,
syzkaller-bugs@googlegroups.com,
Will Deacon <will.deacon@arm.com>
Subject: Re: BUG: bad usercopy in memdup_user
Date: Wed, 20 Dec 2017 07:33:57 +1100 [thread overview]
Message-ID: <20171219203357.GT19604@eros> (raw)
In-Reply-To: <20171219132246.GD13680@bombadil.infradead.org>
On Tue, Dec 19, 2017 at 05:22:46AM -0800, Matthew Wilcox wrote:
> On Tue, Dec 19, 2017 at 07:37:46PM +1100, Tobin C. Harding wrote:
> > On Tue, Dec 19, 2017 at 09:12:58AM +0100, Dmitry Vyukov wrote:
> > > On Tue, Dec 19, 2017 at 1:57 AM, Kees Cook <keescook@chromium.org> wrote:
> > > > On Mon, Dec 18, 2017 at 6:22 AM, Tetsuo Handa
> > > >> This BUG is reporting
> > > >>
> > > >> [ 26.089789] usercopy: kernel memory overwrite attempt detected to 0000000022a5b430 (kmalloc-1024) (1024 bytes)
> > > >>
> > > >> line. But isn't 0000000022a5b430 strange for kmalloc(1024, GFP_KERNEL)ed kernel address?
> > > >
> > > > The address is hashed (see the %p threads for 4.15).
> > >
> > >
> > > +Tobin, is there a way to disable hashing entirely? The only
> > > designation of syzbot is providing crash reports to kernel developers
> > > with as much info as possible. It's fine for it to leak whatever.
> >
> > We have new specifier %px to print addresses in hex if leaking info is
> > not a worry.
>
> Could we have a way to know that the printed address is hashed and not just
> a pointer getting completely scrogged? Perhaps prefix it with ... a hash!
> So this line would look like:
>
> [ 26.089789] usercopy: kernel memory overwrite attempt detected to #0000000022a5b430 (kmalloc-1024) (1024 bytes)
This poses the risk of breaking userland tools that parse the
address. The zeroing of the first 32 bits was a design compromise to
keep the address format while making _kind of_ explicit that some funny
business was going on.
> Or does that miss the point of hashing the address, so the attacker
> thinks its a real address?
No subterfuge intended.
Bonus points Wily, I had to go to 'The New Hackers Dictionary' to look
up 'scrogged' :)
thanks,
Tobin.
next prev parent reply other threads:[~2017-12-19 20:34 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 13:40 BUG: bad usercopy in memdup_user syzbot
2017-12-18 14:22 ` Tetsuo Handa
2017-12-18 14:22 ` Tetsuo Handa
2017-12-19 0:57 ` Kees Cook
2017-12-19 0:57 ` Kees Cook
2017-12-19 8:12 ` Dmitry Vyukov
2017-12-19 8:12 ` Dmitry Vyukov
2017-12-19 8:37 ` Tobin C. Harding
2017-12-19 8:37 ` Tobin C. Harding
2017-12-19 8:41 ` Dmitry Vyukov
2017-12-19 8:41 ` Dmitry Vyukov
2017-12-19 9:04 ` Tobin C. Harding
2017-12-19 9:04 ` Tobin C. Harding
2017-12-19 9:07 ` Dmitry Vyukov
2017-12-19 9:07 ` Dmitry Vyukov
2017-12-19 13:22 ` Matthew Wilcox
2017-12-19 13:22 ` Matthew Wilcox
2017-12-19 13:41 ` Dmitry Vyukov
2017-12-19 13:41 ` Dmitry Vyukov
2017-12-19 14:08 ` Tetsuo Handa
2017-12-19 14:08 ` Tetsuo Handa
2017-12-19 14:12 ` Dmitry Vyukov
2017-12-19 14:12 ` Dmitry Vyukov
2017-12-19 20:45 ` Tobin C. Harding
2017-12-19 20:45 ` Tobin C. Harding
2017-12-19 20:33 ` Tobin C. Harding [this message]
2017-12-19 20:33 ` Tobin C. Harding
2017-12-19 21:36 ` Linus Torvalds
2017-12-19 21:36 ` Linus Torvalds
2017-12-19 21:48 ` Al Viro
2017-12-19 21:48 ` Al Viro
2017-12-19 22:09 ` Randy Dunlap
2017-12-19 22:09 ` Randy Dunlap
2017-12-19 23:24 ` Linus Torvalds
2017-12-19 23:24 ` Linus Torvalds
2017-12-20 3:50 ` Matthew Wilcox
2017-12-20 3:50 ` Matthew Wilcox
2017-12-20 4:05 ` Linus Torvalds
2017-12-20 4:05 ` Linus Torvalds
2017-12-20 4:36 ` Linus Torvalds
2017-12-20 4:36 ` Linus Torvalds
2017-12-20 9:44 ` David Laight
2017-12-20 9:44 ` David Laight
2017-12-31 8:11 ` Dmitry Vyukov
2017-12-31 8:11 ` Dmitry Vyukov
2017-12-19 21:54 ` Kees Cook
2017-12-19 21:54 ` Kees Cook
2017-12-19 22:16 ` Matthew Wilcox
2017-12-19 22:16 ` Matthew Wilcox
2017-12-19 22:24 ` Laura Abbott
2017-12-19 22:24 ` Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219203357.GT19604@eros \
--to=me@tobin.cc \
--cc=bot+719398b443fd30155f92f2a888e749026c62b427@syzkaller.appspotmail.com \
--cc=dave@nullcore.net \
--cc=dvyukov@google.com \
--cc=keescook@chromium.org \
--cc=keun-o.park@darkmatter.ae \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will.deacon@arm.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.